This post is also available in: heעברית (Hebrew)

Gad Elkin, EMEA Security Information Director, F5

DDoS and ransomware are two well-established methods for cyber attacks, but a newly appeared tactic combines elements of both methods: Extortion via DDoS attacks.

From the attacks we’ve witnessed so far, there is an almost professional approach to the entire process: First, an e-mail is sent explaining who the attackers are, with attachments to blogs that wrote about them and their blackmailing tactic. This e-mail goes on to state that unless a ransom is paid (usually around 40 Bitcoin but demands can reach to hundreds of Bitcoin), a DDoS attack on a large scale will commence. Alternatively, mail from the attacks will arrive only after the attack has begun, stating that the attack will cease only when a ransom is paid, or that the severity of the attack will be decreased if a part of the payment is transferred.

We followed several attacks which started slow and grew in scale – DD4BC, the company behind the extortion, claims it can commence attacks of up to 400-500 Gbps. It is quite rare for attacks of this kind to be so powerful, but they have been known to last up to 18 hours, so it is more than enough time to cause significant damage to an organization.

At this time, it seems that there is no focus on a specific industry, but there is one central motive – the targets we have witnessed so far were those relying on online transactions, such as financial institutions.

It is important to point out the the element of extortion can in fact be a tactical distraction, meaning that the client is preparing for a massive attack when in fact the attacker is really aiming to a local application with a different attack vector. This means that hackers can attack on a local application level which includes any form of penetration to the application itself. The target is often not to crash or disrupt a website or service, but to gain access to the application in order to steal information, be it documents, financial information, personal information or something else.

Sometimes, targets may think that the e-mail is junk mail and ignore it but that is not necessarily the best way to act. Of course, this does not mean we suggest paying the ransom. Receiving the mail leaves targets with an option to curb the attack, even though the mail specifically says that trying to curb DDoS attack is futile. Attackers may claim that the attack is too large so that even the best technology can’t cope with it, but that is simply not true.

Curbing the attack is possible by using a combination of local servers with cloud-based anti-DDoS technologies. A hybrid approach offers a company a way to restrain such attacks which began outside the infrastructure as well as a way of coping with local level attacks aimed for the application layer.

DDoS attacks of up to 500 Gbps can be stopped using cloud-based technologies alone. Attacks on network and local applications level (when DDoS is merely a diversion) can be stopped using technologies based on local system. One approach is not enough. A hybrid method is the key to protect your organization from the ever expanding depot of ammunition of cyber criminals.